The vulnerability allows an attacker with limited access to a system, either via a terminal or SSH session, to elevate privileges and gain root access.

It can't be used to break into secure computers, but it is still useful to attackers because it can quickly turn simple intrusions into bad hacks.

While the vulnerability is not in the redoubtable category of "as-bad-as-it-gets" flaws, the security flaw could not be ignored by the Linux and infosec communities once its existence was made public on Thursday.

The reason is because of the place it was found in --namely the X.Org Server package-- a core graphics and windowing technology that is the base for the more famous KDE and GNOME desktop interface suites, and found in all major Linux and BSD distros that offer users a windows-based interface.

However, according to a report authored by security researcher Narendra Shinde, since May 2016, the X.Org Server package had contained a vulnerability that allowed attackers to either elevate privileges and/or overwrite any files on the local system, even crucial OS data.

The issue, tracked as CVE-2018-14665, was caused by improper handling of two command-line options, namely -logfile and -modulepath, which allowed an attacker to insert and execute their own malicious operations. The flaw was exploitable only when X.Org Server was configured to run with root privileges itself, which is a common setup for many distros.

X.Org Foundation developers released X.Org Server 1.20.3 to fix this issue. The fix disables support for these two command-line arguments if the X.Org Server package runs with root privileges.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.